I’ve read dozens of tutorials and guides on how to manage passwords. I dislike most of them for the simple reason that they are far too cumbersome to implement and have you memorize a dozen or more rules without telling you why. The only way an average person will use secure passwords is if it doesn’t take up too much time and attention. Here are a few pieces of advice on password management dissected and dismissed:
Periodically Change Your Password
Many claim this is necessary. However, if you use long passwords (15+), never share them, and are a typical home user with average security needs, then the answer is no. The time to change your password is right after you temporarily share it, if it is short, if it is weak, if it is used for more than one account, or if you have even the slightest suspicion that the password has been captured. In fact, an argument can be made that a policy of changing passwords frequently weakens password security, because this cumbersome requirement will cause people to simplify their password management. Common, unsafe tactics people use when faced with periodic password change include:
- Write down the password, perhaps on a sticky note posted near the screen
- Use the same password for multiple accounts
- Use short passwords
- Change the password by 1 character each time
UPDATE: see security expert Bruce Schneier’s post here for more detail on changing passwords.
Do Not Use Password Management Software
This advice is often part of a long list of security precautions. The reason cited, if a reason is given at all, is that an attacker who steals your master password through keystroke logging or some other means will have access to all of your passwords. While this is certainly possible, try searching for instances of this happening to average consumers using one of the 4 password managers I profiled here. You won’t find any. If anyone can cite an actual example, please let me know in the comments and I’ll update this post.
Two-factor authentication can at least partially address this concern by adding an extra layer of security, which makes it much more difficult for an attacker to gain access to the master password. LastPass and KeePass are two consumer-grade password managers that provide this capability.
There is actually a legitimate concern around password managers which I rarely see discussed: They can easily be used insecurely. Many people use password managers without a master password, especially if using password managers built into a browser. The passwords are then stored in clear text that can be scanned by malware. And, as I detail here, several steps are required to insure that a password manager is being used in a secure manner. However, if used correctly, password management software can greatly reduce the possibility of password theft for the average Joe. Hopefully the various posts in this series can help make that happen.
Strong Passwords Require a Mix of Numbers, Special Characters, and Both Lower and Upper Case Letters
This is not true. Length and randomness of password are far more important than the mix of characters. If there are certain accounts you need to input manually on a device without a keyboard (i.e. cell phone), you may as well use passwords composed of 15 lowercase letters, which will be much easier to type.
A random jumble of 15 lower case letters, if it is protected by a typical, strong encryption algorithm such as AES, is for all practical purposes uncrackable. I have seen many advice articles that are against the use of password managers, yet insist on passwords that include a random jumble of alphanumeric and special characters. These difficult-to-remember passwords cause people to circumvent security by doing things like posting sticky notes on their monitors with the password or using the same password for every account.
The following Mandylion spreadsheet is a terrific tool for showing you how long it would take to crack randomly generated passwords by brute force:
Brute Force Attack Time Estimator by Mandylion Labs
Plug in a purely random combination of 7 Alpha/Numeric/Special characters and you’ll see that it would take less than 79 days for an average computer to crack the password. This is far stronger than a password composed of 7 random lowercase letters (less than 15 minutes to crack), but is much weaker than a password composed of 15 random lowercase letters (over 5 million years to crack). And, as I have mentioned here, your passwords stored on web sites in encrypted form are often susceptible to rainbow attacks which can easily obtain all passwords that are less than 9 characters, and in some instances even passwords that are 14 characters long. This is why 15 character passwords make sense.
Wikipedia has a nice chart showing you password strength based on length and character types. You can see that a 64 bit-strength password is very strong and can be had with 14 lowercase letters or with 10 Alpha/Numeric/Special characters.
Simply put, password length is much more important than mixing in numbers, special characters, or capital letters.
Unfortunately, some web sites (especially banks) limit password length to less than 15, so for these sites you’ll need to use special characters and numbers to make up for the lack of length.
For users of password management software, it is no harder to automatically log in using passwords composed of a mix of special characters. So for passwords that you will never enter on cell phones, you may as well use the special characters. Some computer services do a poor job of encrypting data or use a weaker form of encryption than AES – in these cases the more diverse mix of characters may help resist some forms of attack.
Final Comments
The reason people use such terrible passwords is because manually having to manage strong passwords is hard. Periodically changing passwords or using passwords like ;iq3*;@%t will be a nuisance for the typical person, and likely circumvented.
Store unique 15-character passwords for all accounts with your password manager, protecting them all with a strong master password – and the chance of getting multiple accounts compromised will be much lower than that of the average user. Use the auto-fill features of your password manager and you’ll actually save time in the long run despite the better security.
It is better to have pretty good security that is easy for all, rather than perfect security that is never truly implemented because it is too onerous for the average Joe.